Security features enabled in OpenStack

Security features enabled in OpenStack

Security features enabled in MCP OpenStack

Name

Description

All Linux nodes conform to CIS baseline hardening, including hardened SSH daemon configuration, hardened firewall rules, hardened TLS cipher suites with TLS v1.2 support, hardened HTTP/REST interfaces passing all OWASP tests

The scope of default CIS hardening:

  • iptables rules

  • SSH configuration and encryption protocols

  • TCP/IP stack and network settings

  • Linux kernel VFS and file system layer

  • Security updates configuration - APT package manager

AppArmor Mandatory Access Control (MAC) framework enables support for improved security on all Linux nodes

AppArmor provides improved security for compute virtual machines by confining workloads and ensuring that different workloads do not interfere (sVirt Libvirtd Linux capability).

Ciphersuite enforcement

Strong ciphersuite enforcement (SSH, TLS) compatible with FIPS 140-2 and TLS v.1.2.

Seamless LDAP/AD integration for secure authentication purposes

MCP can leverage OpenLDAP and Microsoft Active Directory for appropriate account security including password policies and account security policies.

Customized RBAC policies for granular access control 0

MCP enables customers to develop customized RBAC policies, meeting sophisticated RBAC requirements for appropriate separation of duty (SOD) and granular access control to mitigate EoP attacks.

HAProxy for DoS/DDoS attack protection for Web and REST API access 0

MCP hides all sensitive API and HTTP web UI services behind reverse proxy making mitigation of DoS/DDoS attacks easy to implement and monitor.

TLS support with AES128/256 cipher suites and Diffie-Hellman Ephemeral Key Exchange (ECDHE)

Diffie-Hellman Ephemeral Cipher Suites support provides forward secrecy, making MCP resistant to eavesdropping and sniffing attacks.

StackLight (LMA toolchain) for improved security analytics and early anomaly detection

StackLight provides advanced analytics enabling early anomaly detection.

Network security technologies for workloads protection

A broad range of network security technologies for workloads protection: FWaaS v2 (experimental), OpenContrail SDN controller integration for advanced network service chaining and security services

CADF integration for out of the box auditing capabilities 0

CADF framework incorporated into MCP enables auditing capabilities to to mitigate repudiation and tampering threats sensitive information assets.

Enhanced auditing and security intelligence capabilities through integration with third-party SIEM and Security Intelligence tools 0

Security intelligence solutions offers improved visibility and advanced analytics of cloud events. All events related to cloud operations, privileged user operations, sensitive asset operations are monitored and analyzed in almost real-time. In case suspicious activity occurs, alarm events are triggered.

TLS Mutual Authentication for improved API and web access security 0

Mutual TLS Authentication along with TLS v1.2 support provides additional layer of security by mitigation of information disclosure, for example, Man-In-The-Middle (MITM) attacks.

OTP token support (Multi-Factor Authentication) through SAML, OIDC

Multi-Factor Authentication and integration with a broad range of OTP tokens, including RSA SecurID, SafeNet, Yubikey provides substantially improved authentication security when compared to password-only authentication.

Federation: SAML 2.0 and OpenID Connect (OIDC) support

MCP is verified to work with corporate federation solutions including Microsoft Active Directory, Shibboleth, IBM Web Sphere Security, Gluu, Ping Federate.

Secure network architecture allowing seamless DMZ integration 0

MCP flexible network templating mechanisms provides support for DMZ network topologies for API and Web UI security.

PCI DSS, FISMA/FedRamp compliance 0

PCI DSS and FISMA/FedRamp compliance is achieved with the help of QSA/3PAO security services providers to achieve the required level of conformance.

Brute-force protection 0

Mitigates DoS attack by monitoring networks for brute-force attacks with relevant HAProxy and Nginx configuration.

0(1,2,3,4,5,6,7,8)

Advanced security features require the engagement of Mirantis Services engineers.